Monday, November 7, 2016

What is a Rootkit ?

A rootkit is a collection of programs that can give
administrator-level access of a computer to the attackers. The term
“rootkit” is derived from two words “root” and “kit”. A
rootkit is a set of programs or tools that enables root-level or
administrator level access of a computer and hence the name.

Attackers usually install a rootkit to mask the intrusion and
continue malicious activities in a stealthy manner, as rootkits are
considerably difficult to detect and remove.

Attackers usually first obtain user-level access of a computer using
some security vulnerabilities or by hacking weak credentials of a
system and then gains administrator privileges by exploiting more
vulnerabilities.

Purpose
of a Rootkit

A rootkit can get installed in a system with several purposes:

It can install spyware to secretly spy on the users and steal
sensitive data.

It can install a keylogger in the system to log keystrokes of a user
and steal sensitive credentials.

It can install a backdoor to give the attackers full access of the
system.

Rootkits can even alter system logs to remain as stealthy as
possible and infect other systems of the network with malware.

Types
of Rootkits

There can be several types of rootkits:

User-mode
Rootkit

User-mode rootkits get installed in a system and run on a computer
with administrative privileges. They can alter security
configurations in a system and hide processes, files, system drives,
network ports or even system services. It can automatically launch
itself at the time of system start. But, as user-mode rootkits do not
alter the Operating System kernel, they are less stealthy and easier
to detect and remove comparatively.

Kernel-mode
Rootkit

Kernel-mode rootkits are extremely stealthy and can be very difficult
to detect and remove. They infect a system and change the Operating
System kernel. As a result, the kernel becomes untrusted and cannot
detect the rootkit.

Hybrid
Rootkit

A hybrid rootkit combines both user-mode and kernel-mode programs.
They are widely used by the attackers to secretly infect a system and
they are the most common type of rootkits.

Firmware
Rootkit

Firmware rootkits can hide themselves in system firmware when the
system shuts down and reinstall themselves when the system restarts.
This type of rootkits are difficult to remove. If a removal program
finds the rootkit and removes it without removing it from the
firmware, the rootkit reinstalls itself when the system restarts.

Symptoms
of Rootkit Infection

As discussed earlier, rootkits are extremely difficult to detect and
remove. But, there can be a number of symptoms which may indicate a
rootkit infection:

The computer fails to respond to any kind of inputs from the mouse
or keyboard and locks up often.

System settings change suspiciously without knowledge. For example,
screensaver may get changed or the taskbar can hide itself.

Network access becomes very slow without any other known reason.
This may indicate exfiltration of data from the system to the
attackers.

Detection
and Removal or Rootkits

There are a number of security tools which can detect and remove
quite a number of rootkits if used as per the instructions. A number
of such rootkit removal tools are:

F-Secure Blacklight

RootkitRevealer

Windows Malicious Software Removal Tool

ProcessGuard

Rootkit Hunter

Sophos Anti-Rootkit

Rootkit Hook Analyzer

VICE

RAIDE

chkrootkit

While removing a rootkit from a system, please read the current
instructions of the rootkit detection and removal tool and follow the
steps required before, during or after the rootkit removal. Once the
rootkit is removed, restart the system and scan again to make sure
the rootkit has not reinstalled itself. And, if nothing works, do a
repartition, reformat and reinstallation of the system. It is
painful, but it works.

Sunday, November 6, 2016

Towards the end of October, a huge cyber attack took down the
internet in many parts of the world. It was caused by a DDoS attack
made by a IoT botnet. But, what is a IoT botnet basically? And, how
can it make such a huge DDoS attack? In this article we would take a
deeper look into that.

What
is IoT Botnet ?

A botnet is basically a group of internet connected devices which are
controlled by the attackers for illicit purposes like stealing
sensitive information of users, sending spams, generating false
traffic to malicious websites using Click Fraud or making a DDoS
attack to suspend a service or an entire network completely for an
indefinite time.

IoT is made up of not only dedicated computers, but also healthcare
devices like cardiac implant monitors, household and industrial
appliances, automobiles, mechanical sensors and other smart
appliances. When attackers hack IoT devices to create a botnet and
exploit that for malicious purposes like making a DDoS attack, it is
called a IoT botnet.

To create a IoT botnet, attackers usually infect a group of IoT
devices with malware and gains unauthorized access of the devices.
These hacked devices are called zombies. The attackers then create a
network of these hacked zombie devices and control them to exploit
their computation power for illicit purposes like making a DDoS
attack.

What
is a DDoS Attack ?

A
DoS or
Denial of Service Attack is
an attack which is perpetrated for the purpose of making a target
machine or network resource unavailable for its intended users. This
attack is usually made to temporarily or indefinitely suspend a
service of a host connected to internet.

DDoS
Attack or Distributed Denial of Service Attack is
a DoS
attack in which the attack comes from multiple sources having
different IP addresses. Basically, a DDoS attack is a DoS attack in
which the attack is perpetrated using several source IP addresses.
Using IP address spoofing, the attackers normally hide their own IP
addresses, making it extremely hard to catch the attackers.

How
can a IoT Botnet be used to make a DDoS Attack ?

A
very good example of such IoT botnet is the botnet which affected
websites from Twitter to Reddit in October 21, 2016. Attackers used
malware named “Mirai” to infect IoT devices and created a huge
botnet out of them. The IoT botnet was then used to launch a DDoS
attack on the servers of DYN, which provides a dynamic DNS service
named DynDNS.

The
attackers first scanned for IoT systems with default usernames and
passwords or IoT systems configured with weak credentials. Such IoT
systems were then infected with Mirai malware to make them part of a
IoT botnet. Mirai could break into a wide range of IoT devices from
CCTV cameras to DVRs to other smart home appliances to turn them into
bots. Attackers created nearly half a million Mirai powered bots in
such way. The IoT botnet then exploited the computation power of
those hacked IoT devices to make a huge number of requests to servers
of DYN, which provides service for dynamic DNS.

When
a device wants to access any website or server, it makes a DNS query
to resolve the IP address of the server. The DNS servers provide the
IP address to the client device, using which the device can connect
to the required server. But nowadays, usually Dynamic Host
Configuration Protocol or DHCP is used to configure IP addresses of
servers, which keep changing over time. And to manage that, so that
DNS servers can always point to the correct IP addresses, Dynamic DNS
is used.

DYN
provides Dynamic DNS services to websites like Amazon, Spotify and
Twitter. As a result, when the IoT botnet attacked the servers of
DYN, those websites went down, creating a huge internet outage. In
fact, the IoT botnet was so huge that it started making tens of
millions of requests at the same time to the servers of DYN to
suspend its services.

There
are a number of other IoT botnets also, which hack the IoT systems
and exploit them for malicious purposes. Bashlight and Aidra are two
of them.

How
to secure IoT Devices ?

The
good thing is, we can always take a couple of simple steps to secure
the IoT devices.

Always
remember to change the default passwords of IoT systems while
configuring it. When attackers try to hack a IoT device, the first
thing they do is to try a list of easily available default usernames
and passwords of devices to gain access.

Do
not keep weak passwords. You can find a simple suggestion on how to
create a strong password and remember it efficiently at the same
time here: How to create a Strong Password

Enable
2 Factor Authentication wherever possible.

Update
firmware of IoT devices regularly. More updated a firmware is,
lesser are its security vulnerabilities.

Enable
Firewalls and IDPS wherever possible.

Please
make sure only the necessary ports of the IoT devices are open and
exposed outside.

Please
make sure network ports or services are not exposed to the internet
via UPnP.

DoS
attacks are one of the most serious threats of today. We often hear
about DoS attacks that temporarily or indefinitely suspend a service
or an entire network. How are these DoS attacks perpetrated and how
can we prevent them? In this article we would discuss about that.

What are a DoS and a DDoS Attack ?

A
DoS or
Denial of Service Attack is
an attack which
is perpetrated for
the purpose of making a target machine or network resource
unavailable for its intended users. This attack is
usually made
to
temporarily or
indefinitely suspend a service of a host connected to internet.

DDoS
Attack or
Distributed Denial of Service Attackis
an
attack in which the attack comes from multiple sources having
different IP addresses. Basically,
a DDoS attack is a DoS attack in which the attack is perpetrated
using several source IP addresses. Using
IP address spoofing, the attackers normally hide their own IP
addresses, making it extremely hard to catch the attackers.

Effects
of DoS Attacks

As
a result of
a DoS attack,
you may see:

Unusually
slow network performance.

Unavailability
of a particular website.

Dramatic
increase of number of spam emails received.

Disconnection
of internet connection.

The
effects can be sometimes long term or even for indefinite time.

Different
Types of DoS Attacks

There
are different
types of DoS Attacks.
Let's understand what each type of DoS Attack does:

UDP
Flood Attack

UDP Flood Attack is an attack which floods random ports of a
remote host with a large number of UDP packets. This makes the host
to repeatedly check the application which is listening to the port
and to reply with ICMP Destination Unreachable packets when no
application found. As a result, the host ends up exhausting
considerable amount of its resources and leads to a DoS Attack.

Internet
Control Message Protocol Flood or ICMP Flood

Smurf Attack is
this type of attack. In these attacks, the attacker sends lots of
ICMP broadcast packets forging the source address of the victim. As a
result, all the computers in the network send overwhelming number of
replies to the victim computer. As a result, the victim computer ends
up consuming all its network banwidth in sending replies and its
resources become unavailable for legitimate purposes

Ping
Flood

In this attack, the attacker sends a large number of ICMP Echo
Request or ping packets to the targeted victim's IP address, mostly
by using the flood option of ping. As a result, the victim's machine
starts responding to each ICMP packet by sending a ICMP Echo Reply
packet and ends up exhausting all its network bandwidth, resulting in
a DoS attack.

Ping
of Death

A correctly formed ping packet is typically 56 bytes in size. But
any IPv4 packet may be as large as 65,535 bytes. If the attacker
sends a malformed very large ping packet to the victim's IP address,
the IP packet will reach the targeted victim splitting into multiple
fragments. When the victim's machine will reassemble the IP
fragments, it will end up with IP packet larger than 65,535 bytes. As
a result, the victim's computer cannot handle that properly and a
buffer overflow will happen. It can result in a system crash and
potentially allowing the injection of malicious code. This type of
attacks are called Ping of Death.

SYN
Flood

In a SYN Flood, the attacker sends an enormous number of connection
request to the victim server, often forging his IP address. As a
result, the victim server ends up spawning lots of half open
connections, sending back a TCP/SYN-ACK packets and waiting for the
response. But as the attacker has forged his IP address, the sent
packets end up going to wrong IP addresses and the server never gets
a reply. But, these half-open connections saturate the maximum number
of open connections the server can have and the server can no more
respond to legitimate requests, resulting in a DoS attack.

Other
Application Level Flood

In this sort of attacks, the attacker floods the victim machine with
legitimate looking requests like database lookup, search requests
etc. It exploits few conditions like buffer overflow, and fills up
the diskspace of the victim machine or consume all its memory and CPU
cycles. As a result, the victim machine ends up exhausting all its
computational resources and results in a DoS Attack.

Banana
Attack

In this attack, the attacker redirects outgoing messages from the
victim machine back to the machine itself. As a result, the machine
ends up exhausting its own network bandwidth and becomes inaccessible
to outside network access, resulting in a DoS attack.

Slowloris

In this attack, the attacker's computer opens many connections to
the victim machine's webserver and try to keep them open as long as
possible. It mainly opens connections to the victim web server and
sends partial request. Periodically, it sends subsequent HTTP
headers, but never completes those requests. As a result, the victim
webserver keeps maximum possible connections open and becomes
inaccessible for legitimate connection requests.

NTP
Amplificaion Attack

NTP or Network Time Protocol is a protocol used by machines
connected to the internet to set their clocks accurately. These NTP
Servers are publicly accessible and can easily be found with tools
like MetaSploit and NMAP. NTP Amplification Attack is an attack in
which the attacker exploits these publicly available NTP Servers and
sends lots of UDP packets to the victim machine. As a result, the
victim machine ends up sending long replies which exhausts its
resources.

HTTP
Flood

HTTP Flood Attack is an attack in which the attacker sends lots
of legitimate looking malicious HTTP GET or HTTP POST requests to a
webserver. These requests consume significant amount of server's
respurces. As a result, the webserver ends up exhausting its
resources and results in a DoS attack.

Zero-day
DoS Attack

In this type of attacks, the attacker exploits vulnerabilities of
a software for which no patch is yet released and performs the DoS
attacks. This is quite a popular attack for attackers.

DNS
Amplification Attack

In this attack, the attacker sends lots of DNS query to a DNS
server, but forges the IP address of the victim machine as source IP
address of all the query packets. As a result, the DNS server ends up
sending all the responses to the victim machine. As DNS responses are
much larger in size, the responses end up flooding the victim machine
with responses and consuming its bandwidth.

CHARGEN
Attack

CHARGEN is a character generation protocol that listens to port
19 of TCP or UDP and continues to stream random characters until the
connection is closed. For UDP, it responds to a request with up to
512 byte response. In CHARGEN Attack, the attacker sends lots of
request with spoofed IP addresses and floods the victim machine with
UDP traffic at port 19, resulting in a DoS attack.

DrDoS
Attack or Reflection DoS Attack

In this attack, an attacker spoofs
his IP address,
and sends lots of request messages to other hosts of the network. As
the attacker uses the victim machine's IP address as the source IP
address of the outgoing request messages, all the other hosts sends a
response to the victim machine. At this point, if the attacker has
much higher bandwidth than the victim machine, the victim machine
gets lots of reponses which uses up all its network bandwidth. As a
result, victim machine becomes no longer available for legitimate
requests, resulting in a DoS attack.

SSDP
Reflection Attack

SSDP or Simple Service Discovery Protocol is a protocol which
enables network devices to smoothly connect with each other. It is
part of the Universal Plug and Play or UPnP protocol standard and is
used to connect devices such as computers, printers, internet
gateways, Wi-Fi access points, mobile devices, cable modems, gaming
consoles etc. In SSDP Reflection Attack, the attacker sends lots of
falsified request messages and redirects the amplified responses to
the victim machine. As a result, the victim machine gets flooded with
the responses, resulting in a DoS attack. The concept of this attack
is pretty new and it first appeared in July, 2014.

SNMP
Attack

SNMP or Simple Network Management Protocol is a protocol which is
used to manage devices with IP addresses, such as routers, servers,
printers, IP video cameras, alarms etc. These devices transmits
sensor readings and other variables over the network using this
protocol. In SNMP Attack, the attacker sends falsified SNMP requests
and redirects the responses to the victim machine, flooding it with
responses and thus it results in a DoS attack.

SSL
Flood

When a server provides a secure connection to a client, normally it
involves a large amount of processing cycles from the server's side.
This type of attacks exploits that scenario. The attacker requests
lots of secure connection to the server, and the server loses its
processing cycles to respond to the illegitimate connections, not
being able to respond to the legitimate ones.

SSL
Garbage Flood

In SSL Garbage Flood, the attacker sends lots of malformed SSL
requests to the victim machine. As these SSL requests takes lots of
computational resources of the SSL server, the victim machine ends up
exhausing all its resources, resulting in a DoS attack.

TCP
Null Attack

In this attack the attacker sends lots of IP packets to the victim
machine with the IPv4 headers filled with NULL. The firewalls
configured for TCP, UDP and ICMP packets may allow these packets. As
a result, the enormous amout of these packets flood the victim
machine, consuming its bandwidth.

LAND
Attack

It is a Local Area Network Denial attack. In this attack, the
attacker sends a TCP SYN packet to initiate a TCP connection with the
victim machine. But the attacker uses the victim machine's IP address
as both source and destination address. As a result, the victim
machine ends up replying to itself continuously, consuming all its
processing power and resulting in a DoS attack.

Teardrop
Attacks

In this attack, the attacker sends a mangled IP packet, with
oversized and overlapping payloads, to the victim. If the Operating
System of the victim's machine cannot handle it properly, the machine
will end up crashing, resulting in a DoS attack.

Peer-to-Peer
Attacks

In
this attack, the attacker gets control over the clients of a
peer-to-peer file sharing hub. He instructs the clients to disconnect
from their peer-to-peer network and connect to the victim's machine
instead. This results in hundreds of thousands of connection request
to the victim machine. As a result, the victim machine ends up
exhausting all its computational resources, resulting in a DoS
attack.

Slow
Read Attack

A Slow Read Attack sends a legitimate application layer request to
the victim machine, but it reads the responses from the machine very
slowly. The attacker advertises a very small number for the TCP
Receive Window size and empties the victim machine's receive buffer
slowly.

Smurf
Attack

In Smurf
Attack,
the attacker
creates lots of ICMP packets with the intended victim's IP address as
source IP address of those packets and broadcasts those packets in a
computer network using an IP Broadcast address. As a result,
computers in the network sends the responses to the victim machine.
And, the victim machine gets flooded with the responses, resulting in
a DoS attack.

Fraggle
Attack

This type of attack is similar to Smurf
Attack,
but instead of ICMP traffic, the attacker sends large number of
forged UDP traffic to the victim machine.

Prevention
of DoS Attacks

There
are a number of ways to prevent DoS attacks. It can be defended in
Application Layer, Transport Layer, Network Layer or by profiling
allowed traffic and filtering the traffic as per that.

Profiling
Application Layer Traffic

DoS
Attacks can be defended in Application Layer by profiling incoming
traffic to distinguish between humans, human bots or hijacked web
browsers and filtering traffic based on that. Several techniques can
be used to profile the incoming traffic. Various attributes like IP
and ASN informartion, HTTP headers, cookie support variation,
JavaScript footprint etc can be used to classify client requests and
filter out bots. Often fingerprinting is used to separate good bots
from the bad bots. Some DoS defense solutions also maintain visitor
state across sessions within an application to isolate real users
from repeat offenders.

Using
Progressive Challenges

A
set of progressive challenges can be used to isolate a legitimate
human user from a malicious bot. Transparent challenges like cookie
support or JavaScript execution can be used for this purpose. CAPTCHA
also can be used, so that a human can complete a CAPTCHA test and
move ahead.

Behavioral
Anomaly Detection

Anomaly
detection rules can be used to analyze behavioral patterns of
incoming traffic and detect non-human traffic or traffic from
hijacked or malware infected computers, which are often used to carry
out a DDoS attack.

Web
Application Firewall

Application
Layer firewalls can examine the payload of a packet and filter
traffic based on that. They can allow or deny certain Application
Layer requests coming from a user. Firewalls rules can also be
created to block malicious traffic on allowed ports.

Deep
Packet Inspection

Deep
Packet Inspection or DPI can look into the data part of a network
packet and filter traffic accordingly. DPI can monitor the payload of
each packet and detect protocols, applications, inappropriate URLs
and intrusion attempts. It also can produce much more detailed logs,
which can help in dealing with security incidents. DPI can eliminate
unwanted traffic before it can attack the entire network.

Using
IDS/IPS

IDS/IPS
can match the packet signature with existing attack signatures
present in a database and filter traffic accordingly. If a database
is adequately populated, they can detect and prevent network attacks
with much less false positives.

High
Capacity Network Bandwidth

High
capacity network bandwidth helps in preventing Layer 3 and Layer 4
DDoS attacks up to a great extent. Layer 3 or Layer 4 DDoS attacks
are usually possible if the network bandwidth of the attackers is
more than that of the attacked network. Hence, increasing the
capacity of the network bandwidth does help.

This
article was intended to give a brief overview of DoS attacks and its
prevention. Hope it helped.